Access & Authentication

OneLogin SSO (Advanced)

Using OneLogin allows you to set up a direct link from your OneLogin dashboard to ProdPad. This will allow users to log in to ProdPad without having to enter a password in ProdPad.

Note

Please check your account subscription. The steps in this guide are for Advanced accounts, Performance and Enterprise customers may need to make additional configuration, which can be seen here.

OneLogin ProdPad link supports the following capabilities:

  • Login from the OneLogin dashboard into ProdPad.
  • The user can also login to ProdPad if they go to https://app.prodpad.com/ via OneLogin.
  • Just-in-time provisioning: if a user has never logged into ProdPad before and they click on the ProdPad app in the dashboard, a role will be created for them in your account. The role will have a reviewer type unless the role attribute is configured.
  • For Performance and Enterprise accounts, you can set up SCIM so that users are auto-provisioned. See here for steps to set this up.

Important!

If you currently have another authentication method enabled such as Google or Slack, please disable them prior to installing SAML.

In ProdPad

  1. To start go to Account Settings and select the Security tab.
  2. Now select the SSO/SAML sub-tab.
  3. Click the "Add authentication type" button and select OneLogin from the dropdown.Screen_Recording_2020-05-05_at_05.33_pm.gif
  4. Keep the modal open (you will need these URLs) and go to Onelogin.

In OneLogin

  1. Create a new SAML 2.0 connector.
  2. On the Info tab enter a name (we suggest ProdPad) and upload the ProdPad logos (attached below) to make it easy for your users to recognise the app in their dashboard. Click Save to continue.
  3. In the "SAML Audience URL" field paste the Audience/Identifier URL from ProdPad (https://api.prodpad.com/api/v2/sso/saml/metadata)
  4. In the "SAML Consumer URL" field paste the ACS/Reply URL from ProdPad (https://api.prodpad.com/api/v2/sso/saml/acs)
  5. If applicable, in the "Single Logout URL" field paste the Single Logout URL (https://api.prodpad.com/com/api/v2/sso/saml/sls)
  6. Click "Save" in the top right hand corner.
  7. Open the "Parameters" tab and make sure that NameID is set to email.
    Screen_Shot_2017-04-18_at_21.17.12.png
  8. Still on the "Parameters" tab click on the "add parameter" link.
  9. Enter "User.FirstName" and select the checkbox "Include in SAML assertion".
    new_field.png
  10. Click on the parameter row in the parameter table.
    parameters2.png
  11. Select the option "First Name" from the dropdown for "Value" and press save. The parameter table should now look like this:
    custom_save.png
  12. Repeat steps 12 to 14 but this time instead of "User.FirstName" create a parameter named "User.LastName" and associate the value "Last Name" to the parameter.
  13. If you wish to utilise Just In Time provisioning for user roles, repeat steps 12 to 14 but this time instead of "User.FirstName" create a parameter named "User.ProdpadRole" and associate the value of the user field to the parameter. For example, you can create a custom user field called "ProdPad Role" and associate this custom user field to the "User.ProdpadRole" parameter. The values for this field should be either 'admin', 'editor' or 'reviewer', if no value is passed over or if the value is incorrect new users will be created as 'reviewer by default.
  14. Click on the SSO tab and if you haven't already associate a X.509 certificate to the SAML connector.
  15. Save the app.
  16. Open the SSO tab and now return to ProdPad.

In ProdPad

  1. Click the Next button on the OneLogin modal.
  2. Copy into the field labelled "IdP Entity ID/URL" in ProdPad, the URL from the field "Issuer URL" in OneLogin.
  3. Copy into the field "IdP SAML Single Sign-On URL" in ProdPad, the URL in the field "SAML 2.0 Endpoint" in OneLogin.
  4. Copy into the field "Logout URL" in ProdPad, the URL in the field "SLO Endpoint" in OneLogin.
  5. Paste the text of X.509 certificate (public key generated above) into the X.509 certificate field.Image_2020-05-01_at_3.35.48_pm.png
  6. Now you must decide whether you want your users to login by IdP initiated login only or by IdP and SP initiated login. If you select IdP only, you user must login from the OneLogin dashboard, rather than the ProdPad login page. If you opt for IdP & SP initiated login you must set up the Domains that your users can login from, more about this here.
  7. If you have opted for IdP only, hit save and you are done! Your users can now use the ProdPad app link on their OneLogin dashboard.
  8. If you have opted for IdP & SP initiated login, from the Domains list select the domain that corresponds to the email address they will be login in from. Note: for a domain to appear as an option here in must be verified under the Domains tab.
  9. Hit save.

To test you can now go to the Identity providers console and click on the ProdPad app icon and you'll be logged into ProdPad. If you have configured for You can also go to to https://app.prodpad.com/login and enter your email. You'll then be shown a button to login using OneLogin.

Comments